[Feature] Keycloak Flow settings

[Jirvil]

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

The description of the Keycloak Flow settings in the documentation is not entirely clear.

Describe the solution you'd like

More detailed explanation of Flow settings.

Describe alternatives you've considered

Default Keycloak Browser Flow contains mixed required and alternative subflows/steps/authenticators, that, as described in documentation, can't be used in conjunction with keycloak-restrict-client-auth. Built-in Browser Flow contains Cookie, IdP and Forms alternatives on top. And you can't just add a keycloak-restrict-client-auth to the bottom of the list and set it as Required.
The solution is not just to create a copy of the built-in Bowser Flow, but to completely rebuild your own flow based on the Browser Flow. You need to create three sub-flows for Cookie, IdP and Forms and add keycloak-restrict-client-auth to each of this subflows.

Anything else?

No response

[sventorben]

Hey @Jirvil,

I know flows can become quite complicated and it may sometimes be a bit cumbersome to configure them. I made some minor changes to the docs, but would like to understand a little better where the exact issue is.

Default Keycloak Browser Flow contains mixed required and alternative subflows/steps/authenticators, that, as described in documentation, can't be used in conjunction with keycloak-restrict-client-auth.

Yes, and it is perfectly fine to do so as long as you do not have them on the same level. Where in the docs do you read that it is not supported?

Built-in Browser Flow contains Cookie, IdP and Forms alternatives on top. And you can't just add a keycloak-restrict-client-auth to the bottom of the list and set it as Required.

Ok, I changed the docs in this regard.

The solution is not just to create a copy of the built-in Bowser Flow

I can't find instructions like that in the docs.

You need to create three sub-flows for Cookie, IdP and Forms and add keycloak-restrict-client-auth to each of this subflows.

No, you do not have to. Please take a look at the example from the docs. It is not needed.

The Keycloak documentation has some good information about how to configure flows: https://www.keycloak.org/docs/21.0.1/server_admin/#_authentication-flows
I do not want to replicate any of that content. With that in mind, what else do you think is missing or unclear?

[Jirvil]

Hi @sventorben!
Thanks for your answer!

No, you do not have to. Please take a look at the example from the docs. It is not needed.

Your last image (the same one in the documentation) is different (for some reason) from the standard built-in Browser flow. You have a top-level "Login" sub-flow which is missing from the keycloak configuration (at least in my conf). (See image below).
In my Built-in Browser flow there are four Alternatives on top and there no place to correctly put the Required
keycloak-restrict-client-auth. That's why I wrote that it's not enough just to copy the standard browser flow and you need to build your own. I don't think it's very clear from the documentation.
But you are right, the structure may be different, with one common sub-flow and one keycloak-restrict-client-auth.